Domain 2 · 2.3 Types of Vulnerabilities

2.3.4 Virtualization & Cloud

VM escape, resource reuse.

10 min

Virtualization and cloud computing leverage shared physical hardware to deliver scalable services, requiring robust isolation to prevent unauthorized access to data and resources.

Virtualization Risks and VM Escape Virtualization provides an abstraction layer between hardware and operating systems, but this layer introduces unique attack vectors. - Hypervisor: The software (Type 1 bare metal or Type 2 hosted) that creates and runs Virtual Machines (VMs). It is the single point of failure; if the hypervisor is compromised, all guest VMs are at risk. - VM Escape: An exploit where an attacker "breaks out" of a guest VM to access the underlying hypervisor or other guest VMs. This is a critical failure of sandboxing. - VM Sprawl: The uncontrolled deployment of VMs without proper oversight or decommissioning, leading to unpatched systems and a larger attack surface. - Isolation: The primary security control in virtualization. It ensures that processes and data in one VM remain invisible and inaccessible to another VM on the same host.

Resource Reuse and Multi-tenancy Cloud providers use multi-tenancy, where multiple customers (tenants) share the same physical CPU, memory, and storage. - Resource Reuse: When a tenant releases a resource (like RAM or disk space), the provider must ensure the data is cleared before assigning it to a new tenant. - Data Remanence: The residual data remaining on a storage medium after a file is deleted. In the cloud, failure to zero-out disks or clear memory buffers can lead to sensitive data leakage between tenants. - Side-Channel Attacks: Exploiting physical properties (like power consumption or timing) of shared hardware to leak information between isolated VMs.

Cloud Deployment and Security Frameworks Securing cloud resources relies on standardized architectures and shared responsibility models. - Cloud Deployment Models: Includes Public (shared by everyone), Private (single organization), Community (shared by specific groups), and Hybrid (combination). - Cloud Architecture Models: SaaS (Software), PaaS (Platform), and IaaS (Infrastructure). Security responsibility shifts from the provider (SaaS) to the consumer (IaaS). - Cloud Controls Matrix (CCM): A framework developed by the Cloud Security Alliance (CSA) to provide systematic security assessments and ensure compliance across cloud environments. - Shared Responsibility Model: A fundamental concept where the provider secures the "Cloud" (physical/global infrastructure) and the customer secures "in the Cloud" (data, apps, and IAM).

Quick recall - VM Escape: Attacker moves from Guest VM to Host/Hypervisor. - VM Sprawl: Too many VMs, too little management. - Resource Reuse: Risk of data leakage if hardware isn't cleared between users. - CIS/NIST/CSA: Frameworks used to audit and template cloud security. - Sandboxing: Hardened isolation used to test suspicious files or isolate tenants.